How do I disable or enable the IPv6 protocol in Red Hat Enterprise Linux?

Solution Verified - Updated

Environment

  • Red Hat Enterprise Linux (all versions)
  • IPv6 networking

Issue

  • How do I disable or enable the IPv6 protocol in Red Hat Enterprise Linux?

  • When I attempt to disable IPv6 in RHEL 5, IPv4 does not connect. I had to re-enable IPv6 via console commands to connect the server to the network.

  • Why do I see errors when changing IPv6 kernel parameters?

    # sysctl -p
error: "net.ipv6.conf.default.accept_redirects" is an unknown key
error: "net.ipv6.conf.default.accept_ra" is an unknown key
error: "net.ipv6.conf.all.disable_ipv6" is an unknown key
error: "net.ipv6.conf.default.disable_ipv6" is an unknown key
  • How do I automate IPv6 configuration to comply with security polices (like Center for Internet Security - CIS) with Security Content Automation Protocol (SCAP)?
    • Ensure IPv6 is disabled through kernel boot parameter
    • Disable IPv6 Addressing on All IPv6 Interfaces
    • Disable IPv6 Addressing on IPv6 Interfaces by Default
    • Disable IPv6 Networking Support Automatic Loading

Resolution

There are two different ways to disable IPv6 functionality.

First, select which type of IPv6 disabling you wish to perform:

Disable IPv6 Addressing

  • Stops a network interface from adding an IPv6 Link-Local (fe80:) or any other IPv6 address
  • Does not prevent execution of IPv6 code in the Linux kernel
  • The system is still aware of what IPv6 packets are and can handle them
  • Applications can still open AF_INET6 sockets and IPv4 traffic can reach those sockets using IPv4-mapped IPv6 addresses
  • Usually does not require any additional application configuration, usually does not break applications

Disable IPv6 Protocol

  • Prevents execution of any IPv6 code in the Linux kernel
  • Makes the system unable to handle IPv6 packets
  • Prevents applications from opening AF_INET6 network sockets
  • Might require additional application configuration or break some applications which assume IPv6 is enabled
  • Red Hat does not fully test with IPv6 disabled, you must thoroughly test your systems and applications after disabling IPv6 this way
  • If NetworkManager connections are incorrectly left enabled, then "Operation not supported" warnings will be logged by NetworkManager

Avoid Incorrect Configuration!

Note: Regardless of which method is chosen, the system must be configured to disable IPv6 addressing.

While every possible configuration cannot be predicted, the overall aim is not to have conflicting configuration with IPv6 enabled in one place but disabled in another. Configuration must be consistent.

Additional issues could be encountered after IPv6 is disabled:

Table of Contents

Disable IPv6 in RHEL 7 and later

Disable IPv6 addressing

Remove any IPv6 addresses, IPv6 gateways, and turn the IPv6 address method off.

For RHEL7 and RHEL 8.0:

# nmcli connection modify <Connection Name> ipv6.addresses "" ipv6.gateway ""
# nmcli connection modify <Connection Name> ipv6.method "ignore"

For RHEL 8.1 to 8.10, RHEL 9, and RHEL 10:

# nmcli connection modify <Connection Name> ipv6.addresses "" ipv6.gateway ""
# nmcli connection modify <Connection Name> ipv6.method "disabled"

Comment out any IPv6 addresses found in /etc/hosts, including the ::1 localhost address:

# cp -p /etc/hosts /etc/hosts.KCS8709
# sed -i 's/^[[:space:]]*::/#::/' /etc/hosts

Create a new file named /etc/sysctl.d/ipv6.conf containing the following settings:

# Disable IPv6 for all interfaces
net.ipv6.conf.all.disable_ipv6 = 1

# Disable IPv6 for each network interface
net.ipv6.conf.lo.disable_ipv6 = 1
net.ipv6.conf.<interface>.disable_ipv6 = 1

Backup and rebuild the initramfs:

# cp -p /boot/initramfs-$(uname -r).img /boot/initramfs-$(uname -r).KCS8709.img
# dracut -f -v

Verify file inclusion:

# lsinitrd /boot/initramfs-$(uname -r).img | grep 'etc/sysctl.d/ipv6.conf'

Reboot the system.

Disable the IPv6 protocol

Perform the above steps to disable IPv6 addressing.

Edit /etc/default/grub and append ipv6.disable=1 to GRUB_CMDLINE_LINUX like the following example:

GRUB_CMDLINE_LINUX="rd.lvm.lv=rhel/swap crashkernel=auto rd.lvm.lv=rhel/root ipv6.disable=1"

Run the grubby command to update the GRUB configuration:

# grubby --update-kernel=ALL --args="ipv6.disable=1"

Reboot the system.

Note: After disabling the IPv6 protocol, depending on the system version, the following message may be output, but there is no problem ignoring it because it has no effect on the system.

systemd-sysctl[253]: Couldn't write '1' to 'net/ipv6/conf/<interface>/disable_ipv6', ignoring: No such file or directory
systemd-sysctl[244]: Couldn't write '1' to 'net/ipv6/conf/all/disable_ipv6', ignoring: No such file or directory
systemd-sysctl[244]: Couldn't write '1' to 'net/ipv6/conf/lo/disable_ipv6', ignoring: No such file or directory

Re-enable IPv6 support in RHEL 7 and later

Re-enable IPv6 addressing

If individual connections were disabled, modify the connection's ipv6.method from disabled to an appropriate value depending on the connection's addressing type. Possible options are:

# nmcli connection modify <Connection Name> ipv6.method "auto"
# nmcli connection modify <Connection Name> ipv6.method "dhcp"
# nmcli connection modify <Connection Name> ipv6.method "link-local"
# nmcli connection modify <Connection Name> ipv6.method "manual"

Note that some of the above commands require additional parameters, such as the DHCP client info or a static IP address.

See the nm-settings(5) manual page and/or refer to the documentation for IPv6 address configuration:

Restore the old /etc/hosts file:

# mv /etc/hosts.KCS8709 /etc/hosts

Delete the /etc/sysctl.d/ipv6.conf file.

Restore the original initial RAM disk image from the backup that was created:

# mv /boot/initramfs-$(uname -r).KCS8709.img /boot/initramfs-$(uname -r).img

Reboot the system.

Re-enable the IPv6 protocol

Perform the above steps to re-enable IPv6 addressing.

Edit /etc/default/grub and delete the entry ipv6.disable=1 from the GRUB_CMDLINE_LINUX, like the following example:

GRUB_CMDLINE_LINUX="rd.lvm.lv=rhel/swap crashkernel=auto rd.lvm.lv=rhel/root"

Run the grubby command to update the GRUB configuration snippets:

# grubby --update-kernel=ALL --remove-args="ipv6.disable=1"

Reboot the system.

Disable IPv6 support in RHEL 6

Disable IPv6 addressing

Edit the file /etc/sysctl.conf and add the following settings:

net.ipv6.conf.all.disable_ipv6 = 1
net.ipv6.conf.default.disable_ipv6 = 1

Comment out any IPv6 addresses found in /etc/hosts, including the ::1 localhost address:

# cp -p /etc/hosts /etc/hosts.disableipv6
# sed -i 's/^[[:space:]]*::/#::/' /etc/hosts

Disable IPv6 addressing in initscript ifcfg files and/ or NetworkManager.

Disable the IPv6 protocol

Perform the above steps to disable IPv6 addressing.

There are some cases where disabling does not give the desired result:

Create a file /etc/modprobe.d/ipv6.conf with the following contents:

options ipv6 disable=1

Disable the ip6tables service from starting at boot:

# chkconfig ip6tables off

Reboot the system.

Re-enable IPv6 in RHEL 6

Review the files under /etc/modprobe.d/ and remove (or comment out) any of the following lines:

options ipv6 disable=1
install ipv6 /bin/true
blacklist ipv6
alias ipv6 off

Configure the ip6tables service to start at boot by issuing the following command:

# chkconfig ip6tables on

Make sure the following options in /etc/sysctl.conf are set to default value '0':

net.ipv6.conf.all.disable_ipv6 = 0
net.ipv6.conf.default.disable_ipv6 = 0

Make sure the following line exists in /etc/hosts and is not commented out:

::1         localhost localhost.localdomain localhost6 localhost6.localdomain6

Edit /etc/netconfig for the lines starting with udp6 and tcp6, change the -(hyphen/dash) in the third column to v

Enable IPv6 addressing in initscript ifcfg files and/ or NetworkManager.

Reboot the system.

Disable IPv6 in RHEL 5

Remove the following line (if present) from the /etc/modprobe.conf file:

alias net-pf-10 ipv6

Add the following line to the /etc/modprobe.conf file:

alias net-pf-10 off

In RHEL 5.4 and later, add the following line to the /etc/modprobe.conf file:

options ipv6 disable=1

In RHEL 5.3 and earlier, add the following line to the /etc/modprobe.conf file:

alias ipv6 off

in the /etc/sysconfig/network file, set the following parameter:

NETWORKING_IPV6=no

Comment out any IPv6 addresses found in /etc/hosts, including ::1 localhost address:

# cp -p /etc/hosts /etc/hosts.disableipv6
# sed -i 's/^[[:space:]]*::/#::/' /etc/hosts

Disable the ip6tables service from starting at boot:

# chkconfig ip6tables off

Reboot the system to disable IPv6 support.

Re-enable IPv6 in RHEL 5

Remove the following lines (if present) from the /etc/modprobe.conf file:

alias net-pf-10 off
alias ipv6 off
options ipv6 disable=1

Add the following line to the /etc/modprobe.conf file (if not present already):

alias net-pf-10 ipv6

Change the /etc/sysconfig/network file to the following:

NETWORKING_IPV6=yes

Make sure the following line exists in /etc/hosts and is not commented out:

::1         localhost localhost.localdomain localhost6 localhost6.localdomain6

Configure the ip6tables service to start at boot:

# chkconfig ip6tables on

Reboot the system.

Root Cause

RHEL comes with IPv6 enabled by default.

In certain situations, users might need to disable IPv6 support, or to re-enable it after it has been disabled.

The ipv6 module disable option can only be set at the time the module is loaded. As the module is compiled into the kernel from RHEL 7 onward, this means a reboot is needed to both set and unset the option.

# dmesg | grep IPv6
[    0.738057] IPv6: Loaded, but administratively disabled, reboot required to enable

When the module option ipv6.disable=1 is set, the IPv6 protocol family handlers are not registered with the kernel. Any attempt to create an IPv6 protocol family (AF_INET6) socket will fail and IPv6 addresses cannot be assigned to an interface. The socket() syscall with the family set to AF_INET6 will return an error EAFNOSUPPORT. None of the sysctl net.ipv6.* parameters will exist.

We can see in the inet6_init() function that early on (here at lines 844-847) the disable=1 module option (disable_ipv6_mod) is tested and if it is set the rest of the initialization sequence is skipped, including registering all the necessary protocol handlers:

 833 static int __init inet6_init(void)
 834 {
...
 844         if (disable_ipv6_mod) {
 845                 pr_info("Loaded, but administratively disabled, reboot required to enable\n");
 846                 goto out;
 847         }

When the sysctl net.ipv6.conf.all.disable_ipv6=1 is set, IPv6 addresses will be stripped from any active interface and any attempt to assign an IPv6 address to an interface will fail with an error ENOPROTOOPT. However, this kernel tunable has no impact on whether the IPv6 protocol family is usable for socket operations. An AF_INET6 socket can still be created and bound to. This is relevant even if there are no IPv6 addresses assigned to the system because an IPv6 socket works with both IPv4 and IPv6.

Diagnostic Steps

The current state of the ipv6 module disable option can be seen via sysfs:

# cat /sys/module/ipv6/parameters/disable
1

The current state of the kernel tunable disable_ipv6 can be seen with the sysctl command:

# sysctl -a 2>/dev/null | grep disable_ipv6
net.ipv6.conf.all.disable_ipv6 = 1
net.ipv6.conf.default.disable_ipv6 = 0
net.ipv6.conf.eth0.disable_ipv6 = 0

To list any IPv6 addresses assigned to the system:

# ip -6 addr

To list any IPv6 TCP or UDP sockets, the following command can be used:

# ss -6 -nap
SBR
Product(s)
Components
Category
Tags

This solution is part of Red Hat’s fast-track publication program, providing a huge library of solutions that Red Hat engineers have created while supporting our customers. To give you the knowledge you need the instant it becomes available, these articles may be presented in a raw and unedited form.